Information Security

What is data (information) security and why it’s important

Data security refers to protective measures that are applied to prevent unauthorized access (virtual or physical) to computers, databases and websites.

Protecting customer and other confidential data from malicious and accidental leaks is one of the top business and IT security challenges facing organizations today. This challenges are especially high in the IoT industry where many connected devices leads to more possibilities for hackers to target us.

“The mantra of any good security engineer is: ‘Security is a not a product, but a process.’ It’s more than designing strong cryptography into a system; it’s designing the entire system such that all security measures, including cryptography, work together.”

Security model

A simple but widely-applicable security model that is designed to guide policies for information security is CIA triad (confidentiality, integrity and availability). In this context:

confidentiality is a set of rules that limits access to information. Cryptography and Encryption methods are an example of an attempt to ensure confidentiality of data transferred from one computer to another.

integrity is the assurance that the information is trustworthy and accurate. One type of security attack is to intercept some important data and make changes to it before sending it on to the intended receiver.

availability is a guarantee of reliable access to the information by authorized people. Some types of security attack attempt to deny access to the appropriate user, either for the sake of inconveniencing them, or because there is some secondary effect.

If any one of the three can be breached it can have serious consequences for the parties concerned.

ISDS approach

Most adequate approach for achieving high graded data security is to develop security by design, where design applies on the whole information system rather than on software only. We need to get away from thinking about security as a set of features. We must think about security as a cross-cutting concern — a concern that cuts across the functionality.

The security measures employed by ISDS approach based on CIA model provides:

Reliable TRANSFER of the data

Strong AUTHORIZATION process, and

PROTECTION of the stored DATA

Each of this three dimensions applies the components from CIA model, hence confidentiality and integrity of data is consider not only for data in-transit, but also for data during user authorization and for data stored in the database.

ISDS key features

ISDS information security solution developed by Nissatech follows the OWASP and SANS guidelines and general best practice for reliable software development in order to avoid well known vulnerabilities and provide stable and secure systems. Key features of this approach can be grouped by horizontal dimensions described above:

» Encrypted communication (https)

» End-to-end security (E2E)

» Endpoint identity verification

» Certificate and hostname verification

» Signed access tokens (JWT)

» Multi-factor authentication (TOTP)

» Dynamic permission-based access (on-the-fly)

» Source Traceability

» Data Encryption

» Data Integrity verification

Well designed System Architecture as foundation of a good security

Applications without security architecture are as bridges constructed without finite element analysis and wind tunnel testing. Sure, they look like bridges, but they will fall down at the first flutter of a butterfly’s wings. Although many people connects data security only with software implementation, good data protection requires well designed security architecture i.e. well configured network devices, scaled components and multitier architectural patterns.

From the perspective of the system architecture, ISDS approach is based on three-tier architecture, which main feature is physical isolation of the tiers. The client applications no longer connects to or communicates directly with the database server, nor do they directly access the tables or raw data defined in the database(s). All access to data – both for reading and for manipulation – goes through the application tier (web servers), which maintains full control over the data access. The web servers are usually deployed in a secure location with exposed a very limited interface to the network (standardized internet protocols like HTTP(s) and Web Socket).

As the admin privileges in wrong hands can damage system dramatically, system maintenance and remote access to the server machines is allowed ONLY through the highly secured VPN tunnel. This measure of protection is applied on SSH access as well.